fix(gateway): scrub memory-context leaks from vision auto-analysis output

fixes #5719 The auxiliary vision LLM called by gateway._enrich_message_with_vision can echo its injected Honcho system prompt back into the image description. That description gets embedded verbatim into the enriched user message, so recalled memory (personal facts, dialectic output) surfaces into a user-visible bubble. Strips both forms of leak before embedding: - <memory-context>...</memory-context> fenced blocks (sanitize_context) - trailing '## Honcho Context' sections (header + everything after) Plus regression tests: - tests/agent/test_streaming_context_scrubber.py — 13 tests on the stateful scrubber (whole block, split tags, false-positive partial tags, unterminated span, reset, case-insensitivity) - tests/run_agent/test_run_agent_codex_responses.py — 2 new tests on _fire_stream_delta covering the realistic 7-chunk leak scenario and the cross-turn scrubber reset - tests/gateway/test_vision_memory_leak.py — 4 tests covering the vision auto-analysis boundary (clean pass-through, '## Honcho Context' header, fenced block, both patterns together)
2026-05-13 03:52:00 +00:00 · 2026-04-24 18:33:19 -04:00 · 2026-04-24 18:33:19 -04:00 · edc23e888d
commit edc23e888d
parent 6fe522cabd
4 changed files with 309 additions and 0 deletions
--- a/gateway/run.py
+++ b/gateway/run.py
@ -8253,6 +8253,7 @@ class GatewayRunner:
            The enriched message string with vision descriptions prepended.
        """
        from tools.vision_tools import vision_analyze_tool
+        from agent.memory_manager import sanitize_context

        analysis_prompt = (
            "Describe everything visible in this image in thorough detail. "
@ -8271,6 +8272,14 @@ class GatewayRunner:
                result = json.loads(result_json)
                if result.get("success"):
                    description = result.get("analysis", "")
+                    # The auxiliary vision LLM can echo injected system-prompt
+                    # memory context back into its output (#5719).  Scrub any
+                    # <memory-context> fences and the "## Honcho Context"
+                    # section before the description lands in a user-visible
+                    # message.
+                    description = sanitize_context(description)
+                    if "## Honcho Context" in description:
+                        description = description.split("## Honcho Context", 1)[0].rstrip()
                    enriched_parts.append(
                        f"[The user sent an image~ Here's what I can see:\n{description}]\n"
                        f"[If you need a closer look, use vision_analyze with "